[GitHub] nifi pull request #2927: NIFI-5473 Added section on using external signed CA...

[pepov <gi...@git.apache.org>]

Github user pepov commented on a diff in the pull request:

    https://github.com/apache/nifi/pull/2927#discussion_r206802784
  
    --- Diff: nifi-docs/src/main/asciidoc/administration-guide.adoc ---
    @@ -281,6 +281,272 @@ After running the client you will have the CA’s certificate, a keystore, a tru
     
     For a client certificate that can be easily imported into the browser, specify: `-T PKCS12`
     
    +==== Using An Existing Intermediate Certificate Authority (CA)
    +
    +In some enterprise scenarios, a security/IT team may provide a signing certificate that has already been signed by the organization's certificate authority (CA). This *intermediate CA* can be used to sign the *node* (sometimes referred to as *leaf*) certificates that will be installed on each NiFi node. In order to inject the existing signing certificate into the toolkit process, follow these steps:
    +
    +. Generate or obtain the signed intermediate CA keys in the following format (see additional commands below):
    +  * Public certificate in PEM format: `nifi-cert.pem`
    +  * Private key in PEM format: `nifi-key.key`
    +. Place the files in the *toolkit directory*. This is the directory where the tool binary (usually called via the invoking script `tls-toolkit.sh` or `tls-toolkit.bat`) is configured to output the signed certificates. *This is not necessarily the directory where the binary is located or invoked*. 
    --- End diff --
    
    When I said "running the toolkit from the directory" I meant it's the working directory and not that the toolkit has to be put there. This was obvious to me, but seems it's not the cleanest wording either.
    I did not try to approach this from a Docker perspective, just wanted to point out, that it was confusing for me, however I accept if you would rather stay with the original wording.


---